Signature device, verification device, signature method, verification method, and computer readable medium

ABSTRACT

A signature device ( 30 ) acquires a signature key SK(x → ) in which an attribute vector x →  is set over a basis B* of a basis B and the basis B*, which are dual bases in dual vector spaces. The signature device ( 30 ) generates a signature sig for a message MSG by setting predicate information of arithmetic branching programs (ABP) for the signature key SK(x → ). The signature device ( 30 ) outputs the signature sig and the message MSG to a verification device ( 40 ).

CROSS REFERENCE TO RELATED APPLICATIONS

This application is a Continuation of PCT International Application No.PCT/JP2019/047995, filed on Dec. 9, 2019, which claims priority under 35U.S.C. 119(a) to Patent Application No. 2019-048622, filed in Japan onMar. 15, 2019, all of which are hereby expressly incorporated byreference into the present application.

TECHNICAL FIELD

The present invention relates to a signature technique using arithmeticbranching programs (ABP).

BACKGROUND ART

Non-Patent Literature 1 describes an attribute-based signature (ABS)scheme for a general predicate determined by a polynomial-sized circuit,a polynomial-time computable Turing machine, and the like.

CITATION LIST Non-Patent Literature

-   Non-Patent Literature 1: Y. Sakai, S. Katsumata, N. Attrapadung, G.    Hanaoka, Attribute-based signatures for unbounded languages from    standard assumptions

SUMMARY OF INVENTION Technical Problem

However, the scheme described in Non-Patent Literature 1 is highlytheoretical, and it is difficult to achieve efficiency that allowsactual use.

It is an object of the present invention to allow a practical ABS schemeto be constructed.

Solution to Problem

A signature device according to the present invention includes

an acquisition unit to acquire a signature key in which an attributevector is set over a basis B* of a basis B and the basis B*, which aredual bases in dual vector spaces;

a signature unit to generate a signature for a message by settingpredicate information of arithmetic branching programs (ABP) for thesignature key acquired by the acquisition unit; and

an output unit to output the signature generated by the signature unitand the message.

Advantageous Effects of Invention

In the present invention, a signature is generated by setting apredicate vector of ABP for a signature key in which an attribute vectoris set. This allows a practical ABS scheme to be constructed.

BRIEF DESCRIPTION OF DRAWINGS

FIG. 1 is a configuration diagram of a signature system 1 according to afirst embodiment;

FIG. 2 is a configuration diagram of a setup device 10 according to thefirst embodiment;

FIG. 3 is a configuration diagram of a key generation device 20according to the first embodiment;

FIG. 4 is a configuration diagram of a signature device 30 according tothe first embodiment;

FIG. 5 is a configuration diagram of a verification device 40 accordingto the first embodiment;

FIG. 6 is a flowchart illustrating operation of the setup device 10according to the first embodiment;

FIG. 7 is a flowchart illustrating operation of the key generationdevice 20 according to the first embodiment;

FIG. 8 is a flowchart illustrating operation of the signature device 30according to the first embodiment;

FIG. 9 is a flowchart illustrating operation of the verification device40 according to the first embodiment;

FIG. 10 is a configuration diagram of the setup device 10 according to asecond variation;

FIG. 11 is a configuration diagram of the key generation device 20according to the second variation;

FIG. 12 is a configuration diagram of the signature device 30 accordingto the second variation; and

FIG. 13 is a configuration diagram of the verification device 40according to the second variation.

DESCRIPTION OF EMBODIMENTS First Embodiment Notations

Notations to be used in the following description will be described.

Formula 101 denotes a security parameter, and 1^(λ) represents unaryencoding.λ∈

  [Formula 101]

Formula 102 denotes a finite field modulo q. Formula 102 will be writtenas a field F_(q) or simply as F_(q).

for any prime q∈

  [Formula 102]

For Formula 103, Formula 104 is defined.d∈

,c∈

∪{0}(c<d)  [Formula 103][d]={1, . . . , d},[c,d]={c, . . . , d}  [Formula 104]

Formula 105 denotes a process of uniformly sampling an element z from aset Z.

$\begin{matrix}{z\overset{U}{\longleftarrow}Z} & \left\lbrack {{Formula}105} \right\rbrack\end{matrix}$

#Z denotes the size or cardinality of the set Z.

For a probabilistic algorithm P, Formula 106 denotes a process ofsampling II from the output distribution of the algorithm P on input Θwith a uniform random tape.

$\begin{matrix}{\Pi\overset{R}{\longleftarrow}{P(\Theta)}} & \left\lbrack {{Formula}106} \right\rbrack\end{matrix}$

For a deterministic algorithm D, Π=V(Θ) denotes output of the algorithmD on input Θ.

It is assumed that each algorithm is given the unary representation1^(λ) of the security parameter λ as input without any explicitindication of the input when it is clear from the context.

For Formula 107, Formula 108 denotes a vector indicated in Formula 109.Formula 108 will be written as v^(→).

, d∈

  [Formula 107]{right arrow over (v)}  [Formula 108](v ₁ , . . . , v _(d)) ∈

^(d)where v _(i)∈

for all i∈[d]  [Formula 109]

An all zero vector over a field F_(q) ^(d) will be written as indicatedin Formula 110.Ō^(d)  [Formula 110]

A normal basis vector over the field F_(q) ^(d) is represented asindicated in Formula 111.

$\begin{matrix}{{{\overset{\rightarrow}{e}\left( {d,i} \right)} = {\overset{i - 1}{\overset{︷}{\left( {0,\ldots,0,} \right.}}1}},{{\overset{d - i}{\overset{︷}{\left. {0,\ldots,0} \right)}}{}{for}i} \in \lbrack d\rbrack}} & \left\lbrack {{Formula}111} \right\rbrack\end{matrix}$

For two vectors indicated in Formula 112, Formula 113 denotes the innerproduct of a vector v^(→) and a vector w^(→). That is, Formula 113denotes Formula 114.

$\begin{matrix}{\overset{\rightarrow}{v},{\overset{\rightarrow}{w} \in {\mathbb{F}}_{q}^{d}}} & \left\lbrack {{Formula}112} \right\rbrack\end{matrix}$ $\begin{matrix}{\overset{\rightarrow}{v} \cdot \overset{\rightarrow}{w}} & \left\lbrack {{Formula}113} \right\rbrack\end{matrix}$ $\begin{matrix}{{\overset{\rightarrow}{v} \cdot \overset{\rightarrow}{w}} = {{\sum\limits_{i \in {\lbrack d\rbrack}}^{}{v_{i}w_{i}}} \in {\mathbb{F}}_{q}}} & \left\lbrack {{Formula}114} \right\rbrack\end{matrix}$

Formula 115 denotes a subspace of the field F_(q) ^(d) formed by Formula116.for any s∈

, and any { v ^((i))}_(i∈[s])⊂

_(q) ^(d)  [Formula 115]SPAN

v |i ∈[s]

  [Formula 116]

Formula 117 denotes a multiplicative cyclic group. Formula 117 will bewritten as a group G or simply as G.

  [Formula 117]

For the group G and a generator g of the group G, v denotes ad-dimensional vector of group elements. That is, this is expressed inFormula 118.v=(g ^(v) ₁ , . . . , g ^(v) _(d)) ∈

^(d) for some d∈

where v =(v ₁ , . . . , v _(d)) ∈

^(d)  [Formula 118]

M=(m_(k,i)) denotes a d×r matrix with entries m_(i,k) ∈F_(q). M^(T)denotes a transpose of the matrix M. Note that det(M) denotes adeterminant of the matrix M. In describing matrices, I denotes anidentity matrix, and 0 denotes a zero matrix. GL(d, F_(q)) denotes a setof all d×d invertible matrices over F_(q) ^(d×d).

Preliminaries

Definitions of terms and the like to be used in the followingdescription will be described.

In a first embodiment, an ABS scheme using a predicate of ABP will bedescribed. In the first embodiment, an arithmetic span program (ASP)representation of a predicate of ABP is used. Therefore, ABP and ASPwill be described.

<ABP>

A branching program (BP) Γ is defined by five elements indicated inFormula 119.Γ=(

,

,V ₀ , V ₁, ϕ)  [Formula 119]

Formula 120 denotes a set of vertices, and Formula 121 denotes a set ofedges. Formula 120 will be written simply as V, and Formula 121 will bewritten simply as E.

[Formula 120]

  [Formula 121]

(V, E) is a directed acyclic graph. V₀ and V₁ ∈ V are special verticescalled a source and a sink respectively, and φ is a labeling functionfor edges in E.

An ABP F over the finite field F_(q) computes a function f indicated inFormula 122.ƒ:

_(q) ^(n)→

_(q)for some n∈

  [Formula 122]

Note that the labeling function φ assigned to each edge in E is a degreeone polynomial in one variable with coefficients over F_(q) or aconstant over F_(q). Let p be a set of all paths from the source V₀ tothe sink V₁ in the ABP Γ. The output of the function f computed by theABP Γ on some input x^(→)=(x₁, . . . , x_(d)) ∈ F_(q) ^(d) is defined asindicated in Formula 123.

$\begin{matrix}{{f\left( \overset{\rightarrow}{x} \right)} = {\sum\limits_{{\mathbb{P}} \in_{p}}^{}\left\lbrack {{\prod\limits_{E \in {\mathbb{P}}}^{}{\phi(E)}}❘_{\overset{\rightarrow}{x}}} \right\rbrack}} & \left\lbrack {{Formula}123} \right\rbrack\end{matrix}$

Formula 124 denotes an evaluation value of the function φ(E) at x^(→).E∈

,ϕ(E)| _(v)   [Formula 124]

The following content is described in Non-Patent Literature “Ishai, Y.,Kushilevitz, E.: Perfect constant-round secure computation via perfectrandomizing polynomials. In: International Colloquium on Automata,Languages, and Programming-ICALP 2002. pp. 244-256. Springer (2002)”.

If ABP Γ=(V, E, V₀, V₁, φ) computing a function f is given, it ispossible to efficiently and deterministically compute a function Lmapping input x^(→) ∈F_(q) ^(d) to a (#V-1)×(#V-1) matrix L(x^(→)) overF_(q). The following (1) to (3) hold:

-   -   (1) det(L(x^(→)))=f(x^(→)).    -   (2) Each entry of (L(x^(→))) is a degree one polynomial in one        variable x_(i) (i ∈ [d]) with coefficients over F_(q) or a        constant over F_(q).    -   (3) (L(x^(→))) contains only −1's in the second diagonal, that        is, the diagonal just below the main diagonal, and contains only        0's below the second diagonal.

Specifically, the matrix L is obtained by removing the columncorresponding to V₀ and the row corresponding to V₁ from a matrixA_(Γ)-I, where the matrix A_(Γ) is an adjacency matrix for Γ and I is anidentity matrix.

Note that there exists a linear-time algorithm that converts any Booleanformula, Boolean branching program, or arithmetic formula to an ABP.

<ASP>

An access structure S=(U, ρ) in n variables is a set U of a pair ofvectors indicated in Formula 125 and a function p indicated in Formula126.

={ y ^((j)), z ^((j))}_(j∈[m]) for m ∈

  [Formula 125]where for all j∈[m],( y ^((j)) ,z ^((j)))∈(

_(q) ^(L))² for L∈

  [Formula 125]ρ: [m]→[n]  [Formula 126]

If and only if Formula 127 holds, an attribute vector x^(→) indicated inFormula 128 satisfies the access structure S.e ^((L,L))∈SPAN

x _(ρ(j)) y ^((j))+ z ^((j)) |j ∈[m]

  [Formula 127]x ∈

_(q) ^(n)  [Formula 128]

ABP and ASP are related to each other as described below.

Non-Patent Literature “Ishai, Y., Wee, H.: Partial garbling schemes andtheir applications. In: ICALP2014. pp. 650-662. Springer” discusses thatfor Formula 129, if ABP Γ=(V, E, V₀, V₁, φ) of a size m+1 computing afunction f indicated in Formula 130 is given, there exists an efficientalgorithm that constructs an access structure S of ASP indicated inFormula 131.n,m∈N  [Formula 129]ƒ:

_(q) ^(n)→

_(q)  [Formula 130]

=(

={ y ^((j)), z ^((j))}_(j∈[m])⊂(

_(q) ^((m+)1))² ,ρ: [m]→[n])such that for all x ∈

_(q) ^(n) ,f( x )=0⇔

accepts x   [Formula 131]

Formula 132 signifies that f(x^(→))=0 and that the access structure Saccepts x^(→) are equivalent.ƒ( x )=0⇔

accepts x   [Formula 132]

In the first embodiment, ABS is realized in dual pairing vector spaces(DPVS), which are dual vector spaces. Therefore, DPVS and a bilineargroup, which is a prerequisite for DPVS, will be described.

<Bilinear Group>

Note that paramG, which is a bilinear group, indicated in Formula 133includes a prime q, cyclic multiplicative groups G₁, G₂, and G_(T) oforder q, a generator g₁ of the group G₁, a generator g₂ of the group G₂,and a bilinear map e indicated in Formula 134.params

=(q,G ₁ ,G ₂ ,G _(T) ,g ₁ ,g ₂ ,e)  [Formula 133]e: G ₁ ×G ₂ →G _(T)  [Formula 134]

The bilinear map e has the following two properties of bilinearity andnon-degeneracy:

(Bilinearity)

Formula 135 holds.e(g ₁ ^(γ) ,g ₂ ^({circumflex over (γ)}))=e(g ₁ ,g₂)^(γ{circumflex over (γ)}) for all γ,{circumflex over (γ)}∈

  [Formula 135]

(Non-Degeneracy)

Formula 136 holds. Note that Formula 137 denotes an identity element ofthe group G_(T).e(g ₁ ,g ₂)≠

  [Formula 136]

  [Formula 137]

In the following description, let G_(BPG)( ) be a bilinear groupgeneration algorithm. That is, G_(BPG) is an algorithm that generatesparamG.

<Dual Pairing Vector Spaces (hereinafter, DPVS)>

Note that paramv, which is DPVS, indicated in Formula 138 is formed bythe direct product of paramG, which is a bilinear group, and paramvincludes a prime q, a d-dimensional vector space V=G₁ ^(d) and ad-dimensional vector space V*=G₂ ^(d) over the field F_(q) under vectoraddition and scalar multiplication defined for each element, canonicalbases A_(t), indicated in Formula 139, of the vector space V and thevector space V*, and a pairing operation e indicated in Formula 140.

$\begin{matrix}{{params}_{\mathbb{V}} = \left( {q,{\mathbb{V}},{\mathbb{V}}^{*},{\mathbb{G}}_{T},{\mathbb{A}},{\mathbb{A}}^{*},e} \right)} & \left\lbrack {{Formula}138} \right\rbrack\end{matrix}$ $\begin{matrix}{{{\mathbb{A}} = \left\{ {{a^{(i)} = \overset{i - 1}{\overset{︷}{\left( {{1_{\mathbb{G}}}_{1},\ldots,1_{{\mathbb{G}}_{1}}} \right.}}},g_{1},\overset{d - i}{\overset{︷}{\left. {1_{{\mathbb{G}}_{1}},\ldots,1_{{\mathbb{G}}_{1}}} \right)}}} \right\}_{i \in {\lbrack d\rbrack}}},} & \left\lbrack {{Formula}139} \right\rbrack\end{matrix}$${\mathbb{A}}^{*} = \left\{ {{a^{*{(i)}} = \overset{i - 1}{\overset{︷}{\left( {{1_{\mathbb{G}}}_{2},\ldots,1_{{\mathbb{G}}_{2}}} \right.}}},g_{2},\overset{d - i}{\overset{︷}{\left. {1_{{\mathbb{G}}_{2}},\ldots,1_{{\mathbb{G}}_{2}}} \right)}}} \right\}_{i \in {\lbrack d\rbrack}}$$\begin{matrix}{\left. {e:{\mathbb{V}} \times {\mathbb{V}}^{*}}\rightarrow{\mathbb{G}}_{T} \right.} & \left\lbrack {{Formula}140} \right\rbrack\end{matrix}$${{defined}{by}{e\left( {v,w} \right)}} = {{\prod\limits_{i \in {\lbrack d\rbrack}}^{}{e\left( {g_{1}^{v_{i}},g_{2}^{w_{i}}} \right)}} \in {\mathbb{G}}_{T}}$forallv = (g₁^(v₁), …, g₁^(v_(d))) ∈ 𝕍, w = (g₂^(w₁), …, g₂^(w_(d))) ∈ 𝕍^(*)

In Formula 139, Formula 141 is identity elements.

,

  [Formula 141]

The map e in paramv has the following two properties of bilinearity andnon-degeneracy:

(Bilinearity)

Formula 142 holds.e(γv,{circumflex over (γ)}w)=e(v,w)^(γ{circumflex over (γ)}) for allγ,{circumflex over (γ)}∈

_(q) ,v ∈

,w ∈

*  [Formula 142]

(Non-degeneracy)

Formula 143 holds.

$\begin{matrix}{{{{If}{e\left( {v,w} \right)}} = {{1_{{\mathbb{G}}_{T}}{for}{all}w} \in {\mathbb{V}}^{*}}},{{{then}v} = \overset{d}{\overset{︷}{1_{{\mathbb{G}}_{1}},\ldots,1_{{\mathbb{G}}_{1}}}}}} & \left\lbrack {{Formula}143} \right\rbrack\end{matrix}$

Formula 143 holds even if v and w are interchanged.

For a basis W of the vector space V (or the vector space V*) indicatedin Formula 144 and a vector v^(→) ∈F_(q) ^(d), Formula 145 denotes avector of the vector space V (or the vector space V*) formed by a linearcombination of elements of the basis W and elements of the vector v^(→).That is, Formula 145 denotes Formula 146.

$\begin{matrix}{{\mathbb{W}} = {\left\{ {w^{(1)},\ldots,w^{(d)}} \right\}{of}{{\mathbb{V}}\left( {{or}{\mathbb{V}}^{*}} \right)}}} & \left\lbrack {{Formula}144} \right\rbrack\end{matrix}$ $\begin{matrix}\left( \overset{\rightarrow}{v} \right)_{\mathbb{W}} & \left\lbrack {{Formula}145} \right\rbrack\end{matrix}$ $\begin{matrix}{\left( \overset{\rightarrow}{v} \right)_{\mathbb{W}} = {{\sum\limits_{i \in {\lbrack d\rbrack}}^{}{v_{i}w^{(i)}}} \in {{\mathbb{V}}\left( {{or}{\mathbb{V}}^{*}} \right)}}} & \left\lbrack {{Formula}146} \right\rbrack\end{matrix}$

For a set of vectors indicated in Formula 147, Formula 148 denotes asubspace of the vector space V formed by the set of vectors indicated inFormula 147.{v ^((i))}_(i∈[s])of

(or

*),s ∈

  [Formula 147]SPAN

v ^((i)) |i ∈[s]

  [Formula 148]

In the following description, let G_(DPVS)(1^(λ), d) be a DPVSgeneration algorithm. That is, G_(DPVS) is an algorithm that takes asinput a unary encoded security parameter 1^(λ) and a natural number dindicating a dimension, and generates paramv with a d-dimensional vectorspace V and a d-dimensional vector space V.

In the first embodiment, ABS is realized using a collision-resistanthash function. Therefore, the collision-resistant hash function to beused in the first embodiment will be described.

<Collision-Resistant Hash Function>

A hash function family H, which is related to a bilinear groupgeneration function G_(BPG) and a polynomial poly(·) is composed of twopolynomial-time algorithms, a KGen algorithm and a H^((λ,poly) _(kh)algorithm.

The KGen algorithm is a hash key generation algorithm. The KGenalgorithm is a probabilistic algorithm that takes as input a unaryencoded security parameter 1^(λ), and samples a hash key hk from a keyspace HK_(λ). The key space HK_(λ) is a probabilistic space on a bitstring parameterized by λ.

The H^((λ,poly)) _(kh) algorithm is a function that performs mappingindicated in Formula 149.

={0,1}^(poly(λ))→

_(q)\{0}

  [Formula 149]

That is, the H^((λ,poly)) _(kh) algorithm is a deterministic functionthat takes as input a unary encoded security parameter 1^(λ), and mapsan element of D={0, 1}^(poly(λ)) to an element of the field F_(q)excluding 0. Note q is the first element of paramG, which is the outputof the bilinear group generation function G_(BPG).

Description of Configurations

In the following description, it is assumed that q indicated in Formula150 is a certain prime, and Formula 151 denotes a class of all functionsindicated in Formula 152. In Formula 152, p is an arbitrary polynomialrealized by a certain polynomial-sized ABP over the field F_(q).q∈

  [Formula 150]

_(ABP) ^((q))  [Formula 151]ƒ:

_(q) ^(n)→

_(q) for any n=p(λ)∈

  [Formula 152]

In the first embodiment, the ABS scheme for a predicate family R^((q))_(Z)-ABP indicated in Formula 153 will be described.

_(Z-ABP) ^((q))={

_(Z-ABP) ^((q))(f,·):

_(q) ^(n)→{0,1}|f:

_(q) ^(n)→

_(q)∈

_(ABP) ^((q))}[Formula 153]

Note that Formula 154 holds.

_(Z-ABP) ^((q))(f, x )=1 if f( x )=0,

_(Z-ABP) ^((q))(f, x )=0 otherwise,for all f:

_(q) ^(n)→

_(q)∈

_(ABP) ^((q)), v ∈

_(q) ^(n)  [Formula 154]

As stated in the description of ASP, there exists a polynomial-timealgorithm that generates an access structure S of ASP indicated inFormula 156 for an input of any function f indicated in Formula 155.ƒ:

_(q) ^(n)→

_(q)∈

_(ABP) ^((q))  [Formula 155]

=(

,ρ)  [Formula 156]

such that for any x∈

_(q) ^(n), it holds that

_(Z-ABP) ^((q))(f, x )=1⇔f( x )=0⇔

accepts x   [Formula 156]

In Formula 156, Formula 157 signifies R^((q)) _(Z-ABP)(f, x^(→))=1,f(x^(→))=0, and that the access structure S accept x^(→) are equivalent.

_(Z-ABP) ^((q))(f, x )=1⇔f( x )=0⇔

  [Formula 157]

In the following description, it is assumed that a predicate R^((q))_(Z-ABP)(f, ·) ∈ R^((q)) _(Z-ABP) is identified by an access structureS=(U, ρ), which is a corresponding ASP representation computed by apolynomial-time algorithm.

<Construction of ABS>

The ABS scheme is a scheme for a certain predicate family R^((q))_(Z-ABP) including a message space M indicated in Formula 158 and asignature space Σ.

⊆{0,1}*  [Formula 158]

Note that * in Formula 158 denotes that the number of elements isarbitrary.

The ABS scheme includes a Setup algorithm, a KeyGen algorithm, a Sigalgorithm, and a Verify algorithm.

The Setup algorithm takes as input a unary encoded security parameter1^(λ), and outputs a public parameter MPK and a master secret key MSK.

The KeyGen algorithm takes as input a public parameter MPK, a mastersecret key MSK, and an attribute vector x^(→) indicated in Formula 159,and outputs a signature key SK(x^(→)).x ∈

_(q) ^(n) for some n=p(λ) ∈

  [Formula 159]

The Sig algorithm takes as input a public parameter MPK, an attributevector x^(→) indicated in Formula 159, a signature key SK(x^(→)) for theattribute vector x^(→), an access structure S=(U, ρ), which is an ASPrepresentation of a signature policy R^((q)) _(Z-ABP)(f, ·):F^(n)_(q)→{0, 1} ∈ R^((q)) _(Z-ABP), and a message MSG ∈ M, and outputs asignature sig or an identification symbol ⊥ indicating a failure.

The Verify algorithm takes as input a public parameter MPK, an accessstructure S=(U, ρ), which is an ASP representation of a signature policyR^((q)) _(Z-ABP)(f, ·):F^(n) _(q)→{0, 1} ∈ R^((q)) _(Z-ABP), and a pairof a message MSG ∈ M and a signature sig ∈Σ, and outputs 1 or 0.

<Configuration of Signature System 1>

Referring to FIG. 1 , a configuration of a signature system 1 accordingto the first embodiment will be described.

The signature system 1 includes a setup device 10, a key generationdevice 20, a signature device 30, and a verification device 40. Thesetup device 10, the key generation device 20, the signature device 30,and the verification device 40 are computers. The setup device 10, thekey generation device 20, the signature device 30, and the verificationdevice 40 are connected via communication channels.

Referring to FIG. 2 , a configuration of the setup device 10 accordingto the first embodiment will be described.

The setup device 10 is a computer that executes the Setup algorithm.

The setup device 10 includes hardware of a processor 11, a memory 12, astorage 13, and a communication interface 14. The processor 11 isconnected with the other hardware components via signal lines andcontrols these other hardware components.

The setup device 10 includes, as functional components, an acceptanceunit 111, a master key generation unit 112, and an output unit 113. Thefunctions of the functional components of the setup device 10 arerealized by software.

The storage 13 stores programs for realizing the functions of thefunctional components of the setup device 10. These programs are read bythe processor 11 into the memory 12 and executed by the processor 11.This realizes the functions of the functional components of the setupdevice 10.

Referring to FIG. 3 , a configuration of the key generation device 20according to the first embodiment will be described.

The key generation device 20 is a computer that executes the KeyGenalgorithm.

The key generation device 20 includes hardware of a processor 21, amemory 22, a storage 23, and a communication interface 24. The processor21 is connected with the other hardware components via signal lines andcontrols these other hardware components.

The key generation device 20 includes, as functional components, anacquisition unit 211, a signature key generation unit 212, and an outputunit 213. The functions of the functional components of the keygeneration device 20 are realized by software.

The storage 23 stores programs for realizing the functions of thefunctional components of the key generation device 20. These programsare read by the processor 21 into the memory 22 and executed by theprocessor 21. This realizes the functions of the functional componentsof the key generation device 20.

Referring to FIG. 4 , a configuration of the signature device 30according to the first embodiment will be described.

The signature device 30 is a computer that executes the Sig algorithm.

The signature device 30 includes hardware of a processor 31, a memory32, a storage 33, and a communication interface 34. The processor 31 isconnected with the other hardware components via signal lines andcontrols these other hardware components.

The signature device 30 includes, as functional components, anacquisition unit 311, a signature unit 312, and an output unit 313. Thefunctions of the functional components of the signature device 30 arerealized by software.

The storage 33 stores programs for realizing the functions of thefunctional components of the signature device 30. These programs areread by the processor 31 into the memory 32 and executed by theprocessor 31. This realizes the functions of the functional componentsof the signature device 30.

Referring to FIG. 5 , a configuration of the verification device 40according to the first embodiment will be described.

The verification device 40 is a computer that executes the Verifyalgorithm.

The verification device 40 includes hardware of a processor 41, a memory42, a storage 43, and a communication interface 44. The processor 41 isconnected with the other hardware components via signal lines andcontrols these other hardware components.

The verification device 40 includes, as functional components, anacquisition unit 411, a verification data generation unit 412, and averification unit 413. The functions of the functional components of theverification device 40 are realized by software.

The storage 43 stores programs for realizing the functions of thefunctional components of the verification device 40. These programs areread by the processor 41 into the memory 42 and executed by theprocessor 41. This realizes the functions of the functional componentsof the verification device 40.

Each of the processors 11, 21, 31, and 41 is an integrated circuit (IC)that performs processing. Specific examples of each of the processors11, 21, 31, and 41 are a central processing unit (CPU), a digital signalprocessor (DSP), and a graphics processing unit (GPU).

Each of the memories 12, 22, 32, and 42 is a storage device totemporarily store data. Specific examples of each of the memories 12,22, 32, and 42 are a static random access memory (SRAM) and a dynamicrandom access memory (DRAM).

Each of the storages 13, 23, 33, and 43 is a storage device to storedata. A specific example of each of the storages 13, 23, 33, and 43 is ahard disk drive (HDD). Alternatively, each of the storages 13, 23, 33,and 43 may be a portable recording medium, such as a Secure Digital (SD,registered trademark) memory card, CompactFlash (CF, registeredtrademark), a NAND flash, a flexible disk, an optical disc, a compactdisc, a Blu-ray (registered trademark) disc, or a digital versatile disc(DVD).

Each of the communication interfaces 14, 24, 34, and 44 is an interfacefor communicating with external devices. Specific examples of each ofthe communication interfaces 14, 24, 34, and 44 are an Ethernet(registered trademark) port, a Universal Serial Bus (USB) port, and aHigh-Definition Multimedia Interface (HDMI, registered trademark) port.

FIG. 2 illustrates only one processor 11. However, a plurality ofprocessors 11 may be included, and the plurality of processors 11 mayexecute the programs for realizing the functions in cooperation.Similarly, a plurality of processors 21, a plurality of processors 31,and a plurality of processors 41 may be included, and the plurality ofprocessors 21, the plurality of processors 31, and the plurality ofprocessors 41 may execute the programs for realizing the respectivefunctions in cooperation.

Description of Operation

Referring to FIGS. 6 to 9 , operation of the signature system 1according to the first embodiment will be described.

In the following description, a function p in the description of ASPdoes not need to be injective. Therefore, the ABS scheme to be describedbelow supports multiple uses of unlimited attributes in a signaturepolicy. “Unlimited” signifies that the number of attributes is notlimited by the public parameter MPK. “Multiple uses” signifies that thesame attribute can be used at multiple places.

Referring to FIG. 6 , operation of the setup device 10 according to thefirst embodiment will be described.

The operation of the setup device 10 according to the first embodimentcorresponds to a setup method according to the first embodiment. Theoperation of the setup device 10 according to the first embodiment alsocorresponds to processes of a setup program according to the firstembodiment.

(Step S11: Acceptance Process)

The acceptance unit 111 accepts input of a unary encoded securityparameter 1^(λ). The acceptance unit 111 writes the security parameter1^(λ) in the memory 12.

(Step S12: Basis Generation Process)

The master key generation unit 112 generates params and orthonormal dualbases {B_(ι), B*_(ι) }_(ι) _(∈) _([0,2]), taking as input the securityparameter 1^(λ) accepted in step S11.

Specifically, the master key generation unit 112 retrieves the securityparameter 1^(λ) from the memory 12. The master key generation unit 112executes an algorithm G_(OB) indicated in Formula 160, where N=2, d₀=4,d₁=14, and d₂=8, to generate params and the dual bases {B_(ι), B*_(ι)}_(ι) _(∈) _([0,2]). The master key generation unit 112 writes paramsand the dual bases {B_(ι), B*_(ι) }_(ι) _(E) _([0,2]) in the memory 12.

$\begin{matrix}{{G_{OB}\left( {N,\left( {d_{0},\ldots,d_{N}} \right)} \right)}:} & \left\lbrack {{Formula}160} \right\rbrack\end{matrix}$${{params}_{\mathbb{G}} = {\left( {q,{\mathbb{G}}_{1},{\mathbb{G}}_{2},{\mathbb{G}}_{T},g_{1},g_{2},e} \right)\overset{R}{\longleftarrow}{G_{BPG}{()}}}},$${{\psi\overset{U}{\longleftarrow}{\mathbb{F}}_{q}}\backslash\left\{ 0 \right\}},{g_{T} = {{e\left( {g_{1},g_{2}} \right)}\psi}},$forι ∈ [0, N]params_(𝕍_(t)) = (q, 𝕍_(ι), 𝕍_(t)^(*), 𝔾_(T), 𝔸_(t), 𝔸_(t)^(*), e)${\overset{R}{\longleftarrow}{G_{DPVS}\left( {d_{\iota},{params}_{\mathbb{G}}} \right)}},$${B^{(\iota)} = {\left( b_{k,i}^{(\iota)} \right)\overset{U}{\longleftarrow}{{GL}\left( {d_{\iota},{\mathbb{F}}_{q}} \right)}}},$B^(*(ι)) = (b_(k, i)^(*(ι))) = ψ((B^((ι)))⁻¹)^(T), forallk ∈ [d_(ι)],${{let}{\overset{\rightarrow}{b}}^{({\iota,k})}{and}{\overset{\rightarrow}{b}}^{*{({\iota,k})}}{represent}{the}k^{th}{rows}{of}B^{(\iota)}{and}B^{*{(\iota)}}},$${b^{({\iota,k})} = \left( {\overset{\rightarrow}{b}}^{({\iota,k})} \right)_{{\mathbb{A}}_{\iota}}},{b^{*{({\iota,k})}} = {{\left( {\overset{\rightarrow}{b}}^{*{({\iota,k})}} \right)_{{\mathbb{A}}_{\iota}^{*}}{for}k} \in \left\lbrack d_{\iota} \right\rbrack}},$𝔹_(ι) = {b^((ι, 1)), …, b^((ι, d₁))}, 𝔹_(ι)^(*) = {b^(*(ι, 1)), …, b^(*(ι, d₁))},params = ({params_(𝕍_(ι))}_(ι ∈ [0, N]), g_(T)),return(params, {𝔹_(ι), 𝔹_(ι)^(*)}_(ι ∈ [0, N])).

(Step S13: Partial Basis Generation Process)

The master key generation unit 112 generates a partial basisB{circumflex over ( )}_(ι) and a partial basis B{circumflex over( )}*_(ι) from the dual bases {B_(ι), B*_(ι) }_(ι) _(∈) _([0,2])generated in step S12, for each integer ι of ι 0 ∈ [0, 2].

Specifically, the master key generation unit 112 retrieves params andthe dual bases {B_(ι), B*_(ι) }_(ι) _(∈) _([0,2]) from the memory 12.The master key generation unit 112 generates the partial basisB{circumflex over ( )}_(ι) and the partial basis B{circumflex over( )}*_(ι), for each integer ι of ι ∈ [0, 2], as indicated in Formula161.

₀ ={b ^((0,1)) ,b ^((0,4))},

₀ *={b* ^((0,3))},

₁ ={b ^((1,1)) , . . . ,b ^((1,4)) ,b ^((1,13)) ,b ^((1,14))},

₁ *={b ^((1,1)) , . . . ,b* ^((1,4)) ,b* ^((1,11)) ,b* ^((1,12))},

₂ ={b ^((2,1)) ,b ^((2,2)) ,b ^((2,7)) b ^((2,8))},

₂ *={b ^((2,1)) ,b* ^((2,2)) b* ^((2,5)) ,b* ^((2,6))}  [Formula 161]

(Step S14: Hash Key Generation Process)

The master key generation unit 112 samples a hash key hk by the KGenalgorithm, as indicated in Formula 162.

$\begin{matrix}{{hk}\overset{R}{\longleftarrow}{{KGen}{()}}} & \left\lbrack {{Formula}162} \right\rbrack\end{matrix}$

Note that the KGen algorithm is an algorithm for a hash function familyH related to a bilinear group generation function G_(BPG) and apolynomial poly(·). The polynomial poly(λ) represents the length of abit string formed by concatenating a message belonging to a messagespace M and a binary ASP representation representing a signature policypredicate in a predicate family R^((q)) _(Z-ABP).

(Step S15: Master Key Setting Process)

The master key generation unit 112 sets, as a public parameter MPK,params generated in step S12, the partial basis B{circumflex over( )}_(ι) and the partial basis B{circumflex over ( )}*_(ι) for eachinteger ι of ι ∈ [0, 2] generated in step S13, and the hash key hkgenerated in step S14. The master key generation unit 112 sets a basisvector b*^((0,1)) as a master secret key MSK.

Then, the master key generation unit 112 writes the public parameter MPKand the master secret key MSK in the memory 12.

(Step S16: Output Process)

The output unit 113 outputs the public parameter MPK and the mastersecret key MSK that are set in step S15.

Specifically, the output unit 113 retrieves the public parameter MPK andthe master secret key MSK from the memory 12. The output unit 113publishes the public parameter MPK by a method such as transmitting thepublic parameter MPK to a server for publication. This allows the keygeneration device 20, the signature device 30, and the verificationdevice 40 to acquire the public parameter MPK. The output unit 113transmits the master secret key MSK to the key generation device 20 insecrecy. To transmit in secrecy means to transmit after encryption by anexisting encryption scheme, for example.

That is, the setup device 10 executes the Setup algorithm indicated inFormula 163.

$\begin{matrix}{{{{Setup}{()}}:}{{1.{\left( {{params},\left\{ {{\mathbb{B}}_{\iota},{\mathbb{B}}_{\iota}^{*}} \right\}_{\iota \in {\lbrack{0,2}\rbrack}}} \right)\overset{R}{\longleftarrow}{G_{OB}\left( {2,\left( {4,14,8} \right)} \right)}}},}} & \left\lbrack {{Formula}163} \right\rbrack\end{matrix}$${{2.{\hat{\mathbb{B}}}_{0}} = \left\{ {b^{({0,1})},b^{({0,4})}} \right\}},{{\hat{\mathbb{B}}}_{0}^{*} = \left\{ b^{*{({0,3})}} \right\}},{{\hat{\mathbb{B}}}_{1} = \left\{ {b^{{1,1})},\ldots,b^{({1,4})},b^{({1,13})},b^{({1,14})}} \right\}},{{\hat{\mathbb{B}}}_{1}^{*} = \left\{ {b^{*{({1,1})}},\ldots,b^{*{({1,4})}},b^{*{({1,11})}},b^{*{({1,12})}}} \right\}},{{\hat{\mathbb{B}}}_{2} = \left\{ {b^{({2,1})},b^{({2,2})},{b^{({2,7})}b^{({2,8})}}} \right\}},{{\hat{\mathbb{B}}}_{2}^{*} = \left\{ {b^{*{({2,1})}},b^{*{({2,2})}},b^{*{({2,5})}},b^{*{({2,6})}}} \right\}},{3.{{hk}\overset{R}{\longleftarrow}{{KGen}{()}}}},{{4.{output}{MPK}} = \left( {{hk},{params},\left\{ {{\hat{\mathbb{B}}}_{\iota},{\hat{\mathbb{B}}}_{\iota}^{*}} \right\}_{\iota \in {\lbrack{0,2}\rbrack}}} \right)},{{MSK} = {b^{*{({0,1})}}.}}$

Referring to FIG. 7 , operation of the key generation device 20according to the first embodiment will be described.

The operation of the key generation device 20 according to the firstembodiment corresponds to a key generation method according to the firstembodiment. The operation of the key generation device 20 according tothe first embodiment also corresponds to processes of a key generationprogram according to the first embodiment.

(Step S21: Acquisition Process)

The acquisition unit 211 acquires the public parameter MPK and themaster secret key MSK that are output in step S16. The acquisition unit211 acquires an attribute vector x^(→)∈ F^(n) _(q). The attribute vectorx^(→) here is an attribute of a user of a signature key SK(x^(→)) to begenerated. Note that n in the attribute vector x^(→)∈F^(n) _(q)represents the number of elements in the attribute vector x^(→). Thatis, the attribute vector x^(→)=(x₁, . . . , x_(n)), where n is aninteger of 1 or more.

The acquisition unit 211 writes the public parameter MPK, the mastersecret key MSK, and the attribute vector x^(→) in the memory 22.

(Step S22: Signature Key Generation Process)

The signature key generation unit 212 samples a random number ω and arandom number φ₀ to generate an element k*⁽⁰⁾, as indicated in Formula164.

$\begin{matrix}{{{\omega\overset{U}{\longleftarrow}{\mathbb{F}}_{q}}\backslash\left\{ 0 \right\}},{\phi_{0}\overset{U}{\longleftarrow}{\mathbb{F}}_{q}},{k^{*{(0)}} = \left( {\omega,0,\phi_{0},0} \right)_{{\mathbb{B}}_{0}^{*}}}} & \left\lbrack {{Formula}164} \right\rbrack\end{matrix}$

The signature key generation unit 212 samples a random number 6 t and arandom number φ^(→(l)) to generate an element k*^((ι)), for each integerι of ι ∈ [n], as indicated in Formula 165.

$\begin{matrix}{{\sigma_{t}\overset{U}{\longleftarrow}{\mathbb{F}}_{q}},{{\overset{\operatorname{\rightarrow}}{\phi}}^{(l)}\overset{U}{\longleftarrow}{\mathbb{F}}_{q}^{2}},{k^{*{(l)}} = \left( {{\sigma_{t}\left( {1,t} \right)},{\omega\left( {1,x_{t}} \right)},{\overset{\rightarrow}{0}}^{6},{\overset{\rightarrow}{\phi}(t)},{\overset{\rightarrow}{0}}^{2}} \right)_{{\mathbb{B}}_{1}^{*}}}} & \left\lbrack {{Formula}165} \right\rbrack\end{matrix}$

A basis vector b*^((1,1)) and a basis vector b*^((1,2)) of the basis B*₁are an index part, and σ_(ι) (1, ι) set in the index part as acoefficient is index information I* associated with an element x_(ι) ofthe attribute vector x^(→). The index information I* is such that thesum of element-wise inner products of the index information I* andcorresponding index information I, which is used in the Verify algorithmto be described later, becomes 0.

The signature key generation unit 212 samples a random numberφ^(→(n+1,1)) and a random number φ^(→(n+1,2)) to generate an elementk*^((n+1,1)) and an element k*^((n+1,2)), as indicated in Formula 166.

$\begin{matrix}{{\overset{\rightarrow}{\phi}}^{({n,{+ 1},1})},{{\overset{\rightarrow}{\phi}}^{({{n + 1},2})}\overset{U}{\longleftarrow}{\mathbb{F}}_{q}^{2}},{k^{*{({{n + 1},1})}} = \left( {{\omega\left( {1,0} \right)},{\overset{\rightarrow}{0}}^{2},{\overset{\rightarrow}{\phi}}^{({{n + 1},1})},{\overset{\rightarrow}{0}}^{2}} \right)_{{\mathbb{B}}_{2}^{*}}},{k^{*{({{n + 1},2})}} = \left( {{\omega\left( {0,1} \right)},{\overset{\rightarrow}{0}}^{2},{\overset{\rightarrow}{\phi}}^{({{n + 1},2})},{\overset{\rightarrow}{0}}^{2}} \right)_{{\mathbb{B}}_{2}^{*}}},} & \left\lbrack {{Formula}166} \right\rbrack\end{matrix}$

The signature key generation unit 212 writes the element k*⁽⁰⁾, theelement k*^((ι)) for each integer ι of ι ∈ [n], the elementk*^((n+1,1)), and the element k*^((n+1,2)) in the memory 22 as thesignature key SK(x^(→)).

(Step S23: Output Process)

The output unit 213 outputs the signature key SK(x^(→)) generated instep S22.

Specifically, the output unit 213 retrieves the signature key SK(x^(→))from the memory 22. The output unit 213 transmits the signature keySK(x^(→)) to the signature device 30 in secrecy.

That is, the key generation device 20 executes the KeyGen algorithmindicated in Formula 167.

$\begin{matrix}{{{{KeyGen}\left( {{MPK},{MSK},\overset{\rightarrow}{x}} \right)}:}{{1.\omega\overset{U}{\left. \longleftarrow \right.}{{\mathbb{F}}_{q}\backslash\left\{ 0 \right\}}},{\phi_{0}\overset{U}{\left. \longleftarrow \right.}{\mathbb{F}}_{q}},{k^{*{(0)}} = \left( {\omega,0,\phi_{0},0} \right)_{{\mathbb{B}}_{0}^{*}}},{{2.{for}\iota} \in \lbrack n\rbrack}}{{\sigma_{\iota}\overset{U}{\longleftarrow}{\mathbb{F}}_{q}},{{\overset{\rightarrow}{\phi}}^{(l)}\overset{U}{\longleftarrow}{\mathbb{F}}_{q}^{2}},{k^{*{(\iota)}} = \left( {{\sigma_{\iota}\left( {1,\iota} \right)},{\omega\left( {1,x_{l}} \right)},{\overset{\rightarrow}{0}}^{6},{\overset{\rightarrow}{\phi}}^{(l)},{\overset{\rightarrow}{0}}^{2}} \right)_{{\mathbb{B}}_{l}^{*}}},{3.{\overset{\rightarrow}{\phi}}^{({{n + 1},1})}},{{\overset{\rightarrow}{\phi}}^{({{n + 1},2})}\overset{U}{\longleftarrow}{\mathbb{F}}_{q}^{2}},{k^{*{({{n + 1},1})}} = \left( {{\omega\left( {1,0} \right)},{\overset{\rightarrow}{0}}^{2},{\overset{\rightarrow}{\phi}}^{({{n + 1},1})},{\overset{\rightarrow}{0}}^{2}} \right)_{{\mathbb{B}}_{2}^{*}}},{k^{*{({{n + 1},2})}} = \left( {{\omega\left( {0,1} \right)},{\overset{\rightarrow}{0}}^{2},{\overset{\rightarrow}{\phi}}^{({{n + 1},2})},{\overset{\rightarrow}{0}}^{2}} \right)_{{\mathbb{B}}_{2}^{*}}},{{4.{output}{{SK}\left( \overset{\rightarrow}{x} \right)}} = {\left( {k^{*{(0)}},\ldots,k^{*{(n)}},k^{*{({{n + 1},1})}},k^{*{({{n + 1},2})}}} \right).}}}} & \left\lbrack {{Formula}167} \right\rbrack\end{matrix}$

Referring to FIG. 8 , operation of the signature device 30 according tothe first embodiment will be described.

The operation of the signature device 30 according to the firstembodiment corresponds to a signature method according to the firstembodiment. The operation of the signature device 30 according to thefirst embodiment also corresponds to processes of a signature programaccording to the first embodiment.

(Step S31: Acquisition Process)

The acquisition unit 311 acquires the public parameter MPK output instep S16. The acquisition unit 311 acquires the signature key SK(x^(→))output in step S23.

The acquisition unit 311 acquires the attribute vector x^(→)∈ F^(n) _(q)of the user, an access structure S, which is an ASP representation of asignature policy R^((q)) _(Z-ABP)(f, ·):F^(n) _(q)→*{0, 1} ∈ R^((q))_(Z-ABP), and a message MSG ∈ M. The access structure S is as indicatedin Formula 168.

=(

={ y ^((j)), z ^((j))}_(j∈[m])⊂(

_(q) ^(L))² ,ρ: [m]→[n]  [Formula 168]

L is the number of elements in each of a vector y^(→(j)) and a vectorz^(→(j)), and is an integer of 1 or more.

The acquisition unit 311 writes the public parameter MPK, the signaturekey SK(x^(→)), the attribute vector x^(→)∈ F^(n) _(q) of the user, theaccess structure S, and the message MSG in the memory 32.

(Step S32: Determination Process)

The signature unit 312 determines whether the access structure S acceptsthe attribute vector x^(→).

If acceptance is determined, the signature unit 312 advances the processto step S33. If acceptance is not determined, the signature unit 312outputs an identification symbol ⊥ indicating a failure, and ends theprocess.

(Step S33: Variable Computation Process)

The signature unit 312 computes a scalar (Ω_(j))_(j ∈[m]) ∈ F^(m) _(q)indicated in Formula 169.

$\begin{matrix}{{\overset{\_}{e}}^{({L,L})} = {\sum\limits_{j \in {\lbrack m\rbrack}}^{}{\Omega_{j}\left( {{x_{\rho(j)}{\overset{\rightarrow}{y}}^{(j)}} + {\overset{\rightarrow}{z}}^{(j)}} \right)}}} & \left\lbrack {{Formula}169} \right\rbrack\end{matrix}$

Note that if and only if Formula 127 holds, the attribute vector x^(→)indicated in Formula 128 satisfies the access structure S. Therefore,the scalar (Ω_(j))_(j∈[m]) ∈ F^(m) _(q) indicated in Formula 169 existsand can be computed.

The signature unit 312 samples a random number a random number ξ, arandom number (Ω′_(j))_(j∈[m]) ∈ F^(m) _(q), and a random number(Ω″_(j))_(j∈[m]) ∈ F^(m) _(q) indicated in Formula 170.

$\begin{matrix}{{{{\xi\overset{U}{\longleftarrow}{\mathbb{F}}_{q}}\backslash\left\{ 0 \right\}},{\left( {\left( \Omega_{j}^{’} \right)_{j \in {\lbrack m\rbrack}},\left( \Omega_{j}^{"} \right)_{j \in {\lbrack m\rbrack}}} \right)\overset{U}{\longleftarrow}\left( {\mathbb{F}}_{q}^{m} \right)^{2}}}{{{such}{that}{\sum\limits_{j \in {\lbrack m\rbrack}}^{}\left( {{\Omega_{j}^{\prime}{\overset{\rightarrow}{y}}^{(j)}} + {\Omega_{j}^{''}{\overset{\rightarrow}{z}}^{(j)}}} \right)}} = {\overset{\rightarrow}{0}}^{L}}} & \left\lbrack {{Formula}170} \right\rbrack\end{matrix}$

The signature unit 312 writes the scalar (Ω_(j))_(j∈[m]), the randomnumber the random number (Ω′_(j))_(j∈[m]), and the random number(Ω″_(j))_(j∈[m]) in the memory 32.

(Step S34: Signature Element Generation Process)

The signature unit 312 samples a random number r*⁽⁰⁾ to generate anelement s*⁽⁰⁾, as indicated in Formula 171.

$\begin{matrix}{{{r^{*{(0)}}\overset{U}{\longleftarrow}{SPAN}}\left\langle b^{*{({0,3})}} \right\rangle},{s^{*{(0)}} = {{\xi k^{*{(0)}}} + r^{*{(0)}}}}} & \left\lbrack {{Formula}171} \right\rbrack\end{matrix}$

The random number ξ and the random number r*⁽⁰⁾ conceal the randomnumber ω and the random number φ₀ that are set in the element k*⁽⁰⁾ ofthe signature key SK(x^(→)).

The signature unit 312 samples a random number σ′_(j) and a randomnumber r*^((j)) to generates an element s*^((j)), for each integer j ofj ∈ [m], as indicated in Formula 172.

$\begin{matrix}{{\sigma_{j}^{\prime}\overset{U}{\longleftarrow}{\mathbb{F}}_{q}},{{r^{*{(j)}}\overset{U}{\longleftarrow}{SPAN}}\left\langle {b^{*{({1,11})}},b^{*{({1,12})}}} \right\rangle},{s^{*{(j)}} = {{{\xi\Omega}_{j}{k^{*}\left( {\rho(j)} \right)}} + {\sigma_{j}^{\prime}\left( {b^{*{({1,11})}} + {{\rho(j)}b^{*{({1,2})}}}} \right)} + {\Omega_{j}^{''}b^{*{({1,3})}}} + {\Omega_{j}^{\prime}b^{*{({1,4})}}} + r^{*{(j)}}}}} & \left\lbrack {{Formula}172} \right\rbrack\end{matrix}$

The random number ξ and the scalar Ω_(j) conceal the element of theattribute vector x^(→) set in the element k*^((ι)) of the signature keySK(x^(→)). The random number Ω_(j) conceals Ω_(jXρ(j)). The randomnumber Ω″_(j) conceals the random number Ω′_(j).

The random number σ′_(j) conceals the index information I* set in theelement k*^((ι)) of the signature key SK(x^(→)). The random numberr*^((ι)) conceals the random number φ^(→(l)) set in the element k*^((ι))of the signature key SK(x^(→)).

The signature unit 312 samples a random number r^(*(m+1)) to generate anelement s*^((m+1)), as indicated in Formula 173.

$\begin{matrix}{{{r^{*{({m + 1})}}\overset{U}{\longleftarrow}{SPAN}}\left\langle {b^{*{({2,5})}},b^{*{({2,6})}}} \right\rangle},{s^{*{({m + 1})}} = {{\xi\left( {k^{*{({{n + 1},1})}} + {{H_{hk}^{({\lambda,{poly}})}\left( {{MSG}{❘❘}{\mathbb{S}}} \right)}k^{*{({{n + 1},2})}}}} \right)} + r^{*{({m + 1})}}}}} & \left\lbrack {{Formula}173} \right\rbrack\end{matrix}$

The random number ξ and the random number r*^((m+1)) conceal the randomnumber ω, the random number φ^(→(n+1,1)), and the random numberφ^(→(n+1,2)) that are set in the element k*^((n+1,1)) and the elementk*^((n+1,2)) of the signature key SK(x^(→)).

The signature unit 312 writes the element s*⁽⁰⁾, the element s*^((j))for each integer j of j ∈ [m], and the element s*^((m+1)) in the memory32 as a signature sig.

(Step S35: Output Process)

The output unit 313 outputs a pair of the message MSG acquired in stepS31 and the signature sig generated in step S34.

Specifically, the output unit 313 retrieves the message MSG and thesignature sig from the memory 32. The output unit 313 transmits themessage MSG and the signature sig to the verification device 40.

That is, the signature device 30 executes the Sig algorithm indicated inFormula 174.

$\begin{matrix}{{{Sig}\left( {{MPK},\overset{\_}{x},{SK},\left( \overset{\_}{x} \right),{\mathbb{S}},{MSG}} \right)}:} & \left\lbrack {{Formula}174} \right\rbrack\end{matrix}$${{if}{\mathbb{S}}{does}{not}{accept}\overset{\rightarrow}{x}},{{{it}{outputs}}\bot},$${Otherwise},{i.e.},{{if}{\mathbb{S}}{accepts}\overset{\rightarrow}{x}},{{it}{operates}{as}{follows}:}$${{1.{{computes}\left( \Omega_{j} \right)}_{j \in {\lbrack m\rbrack}}} \in {{\mathbb{F}}_{q}^{m}{such}{that}{\overset{\rightarrow}{e}}^{({L,L})}{\sum\limits_{j \in {\lbrack m\rbrack}}{\Omega_{j}\left( {{x_{\rho(j)}{\overset{\rightarrow}{y}}^{(j)}} + {\overset{\rightarrow}{z}}^{(j)}} \right)}}}},$${2.{{\xi\overset{U}{\longleftarrow}{\mathbb{F}}_{g}}\backslash\left\{ 0 \right\}}},$${{{\left( {\left( \Omega_{j}^{\prime} \right)_{j \in {\lbrack m\rbrack}},\left( \Omega_{j}^{''} \right)_{j \in {\lbrack m\rbrack}}} \right)\overset{U}{\longleftarrow}\left( {\mathbb{F}}_{q}^{m} \right)^{2}}{such}{that}{\sum\limits_{j \in {\lbrack m\rbrack}}\left( {{\Omega_{j}^{\prime}{\overset{\rightarrow}{y}(j)}} = {\Omega_{j}^{''}{\overset{\rightarrow}{z}}^{(j)}}} \right)}} = {\overset{\rightarrow}{0}}^{L}},$${3.{r^{*{(0)}}\overset{U}{\longleftarrow}{SPAN}}\left\langle b^{*{({0,3})}} \right\rangle},$s^(*(0)) = ξk^(*(0)) + r^(*(0)),${{4.{for}j} \in {\lbrack m\rbrack\sigma_{j}^{\prime}\overset{U}{\left. \longleftarrow \right.}{\mathbb{F}}_{q}}},{{r^{*{(j)}}\overset{U}{\longleftarrow}{SPAN}}\left\langle {b^{*{({1,11})}},b^{*{({1,12})}}} \right\rangle},$s^(*(j)) = ξΩ_(j)k^(*)(ρ(j)) + σ_(j)^(′)(b^(*(1, 1)) + ρ(j)b^(*(1, 2))) + Ω_(j)^(″)b^(*(1, 3)) + Ω_(j)^(′)b^(*(1, 4)) + r^(*(j)),${5.{r^{*{({m + 1})}}\overset{U}{\longleftarrow}{SPAN}}\left\langle {b^{*{({2,5})}},b^{*{({2,6})}}} \right\rangle},$s^(*(m + 1)) = ξ(k^(*(n + 1, 1)) + H_(hk)^((λ, poly))(MSG❘❘𝕊)k^(*(n + 1, 2))) + r^(*(m + 1)),6.outputsig = (s^(*(0)), …, s^(*(m + 1))).

Referring to FIG. 9 , operation of the verification device 40 accordingto the first embodiment will be described.

The operation of the verification device 40 according to the firstembodiment corresponds to a verification method according to the firstembodiment. The operation of the verification device 40 according to thefirst embodiment also corresponds to processes of a verification programaccording to the first embodiment.

(Step S41: Acquisition Process)

The acquisition unit 411 acquires the public parameter MPK output instep S16. The acquisition unit 411 acquires the pair of the message MSGand the signature sig output in step S35. The acquisition unit 411acquires the access structure S, which is the ASP representation of thesignature policy R^((q)) _(Z-ABP)(f, ·):F^(n) _(q)>{0, 1} ∈ R^((q))_(Z-ABP).

The acquisition unit 411 writes the public parameter MPK, the pair ofthe message MSG and the signature sig, and the access structure S in thememory 42.

(Step S42: Verification Data Generation Process)

The verification data generation unit 412 samples a random number u^(→)to generate a variable sj and a variable s′_(j), which are verificationinformation, for each integer j of j ∈ [m], as indicated in Formula 175.

$\begin{matrix}{{{\overset{\rightarrow}{u} = {\left( {u_{1},\ldots,u_{L}} \right)\overset{U}{\longleftarrow}{\mathbb{F}}_{q}^{L}}},{{{for}j} \in \lbrack m\rbrack}}{{s_{j} = {\overset{\rightarrow}{u} \cdot {\overset{\rightarrow}{y}}^{(j)}}},{s_{j}^{\prime} = {\overset{\rightarrow}{u} \cdot {\overset{\rightarrow}{z}(j)}}}}} & \left\lbrack {{Formula}175} \right\rbrack\end{matrix}$

The verification data generation unit 412 samples a random number u anda random number η₀ to generate an element c⁽⁰⁾, as indicated in Formula176.

$\begin{matrix}{u,{\eta_{0}\overset{U}{\longleftarrow}{\mathbb{F}}_{q}},{c^{(0)} = {\left( {{{- u} - u_{L}},0,0,\eta_{0}} \right){\mathbb{B}}_{0}}}} & \left\lbrack {{Formula}176} \right\rbrack\end{matrix}$

The verification data generation unit 412 executes the following foreach integer j of j ∈ [m].

First, the verification data generation unit 412 determines whetherFormula 177 holds for the target integer j.s* ^((j))∉

₁*  [Formula 177]

If it holds, the verification data generation unit 412 outputs 0indicating that the validity of the signature sig cannot be confirmed,and ends the process. If it does not hold, the verification datageneration unit 412 samples a random number μ_(j) and a random numberη^(→(j)) to generate an element c^((j)) for the target integer j, asindicated in Formula 178.

$\begin{matrix}{{\mu_{j}\overset{U}{\longleftarrow}{\mathbb{F}}_{q}},{{\overset{\rightarrow}{\eta}}^{(j)}\overset{U}{\longleftarrow}{\mathbb{F}}_{q}^{2}},{c^{(j)} = \left( {{\mu_{j}\left( {{\rho(j)},{- 1}} \right)},\left( {s_{j}^{\prime},s_{j}} \right),{\overset{\rightarrow}{0}}^{6},{\overset{\rightarrow}{0}}^{2},{\overset{\rightarrow}{\eta}}^{(j)}} \right)_{{\mathbb{B}}_{1}}}} & \left\lbrack {{Formula}178} \right\rbrack\end{matrix}$

A basis vector b^((1,1)) and a basis vector b^((1,2)) of the basis B₁are an index part. The basis vector b^((1,1)) and the basis vectorb^((1,2)) of the basis B₁ are basis vectors corresponding to the basisvector b*^((1,1)) and the basis vector b*^((1,2)) of the basis B*₁. Thebasis vectors corresponding to each other signifies the basis vectors ofwhich an inner product is computed by a pairing operation.

Note that μ_(j)(ρ(j), −1) set in the index part as a coefficient isindex information I. The index information I is such that the sum ofelement-wise inner products of the index information I and thecorresponding index information I*, which is used in the signature keySK(x^(→)), becomes 0. That these pieces of index information correspondto each other signifies that ι and ρ(j) correspond to each other, andsignifies ι=ρ(j).

Specifically, the index information I* is σ_(ι) (1, ι) and the indexinformation I is μ_(j)(ρ(j), −1). Since ι=ρ(j), then σ_(ι)μ_(j)(1·ι-1·ι)=0.

The verification data generation unit 412 samples a random number κ anda random number η^(→(m+1)) to generate an element c^((m+1)) as indicatedin Formula 179.

$\begin{matrix}{{\kappa\overset{U}{\longleftarrow}{\mathbb{F}}_{q}},{{\overset{\rightarrow}{\eta}}^{({m + 1})}\overset{U}{\longleftarrow}{\mathbb{F}}_{q}^{2}},{c^{({m + 1})} = \left( {\left( {{u - {\kappa{H_{hk}^{({\lambda,{poly}})}\left( {{MSG}{❘❘}{\mathbb{S}}} \right)}}},\kappa} \right),{\overset{\rightarrow}{0}}^{2},{\overset{\rightarrow}{0}}^{2},{\overset{\rightarrow}{\eta}}^{({m + 1})}} \right)_{{\mathbb{B}}_{2}}}} & \left\lbrack {{Formula}179} \right\rbrack\end{matrix}$

(Step S43: First Verification Process)

The verification unit 413 determines whether Formula 180 holds.e(b ^((0,1)) ,s* ⁽⁰⁾=

  [Formula 180]

If it holds, the verification unit 413 outputs 0 indicating that thevalidity of the signature sig cannot be confirmed, and ends the process.If it does not hold, the verification unit 413 advances the process tostep S44.

(Step S44: Second Verification Process)

The verification unit 413 determines whether Formula 181 holds.

$\begin{matrix}{{\prod\limits_{j \in {\lbrack{0,{m + 1}}\rbrack}}{e\left( {c^{(j)},s^{*{(j)}}} \right)}} = 1_{{\mathbb{G}}_{r}}} & \left\lbrack {{Formula}181} \right\rbrack\end{matrix}$

If it holds, the verification unit 413 outputs 1 indicating that thevalidity of the signature sig has been successfully confirmed, and endsthe process. If it does not hold, the verification unit 413 outputs 0indicating that the validity of the signature sig cannot be confirmed,and ends the process.

As indicated in Formula 182, if the signature sig is valid, Formula 181holds.

$\begin{matrix}{{\prod\limits_{j \in {\lbrack{0,{m + 1}}\rbrack}}{e\left( {c^{(j)},s^{*{(j)}}} \right)}} = {{e\left( {c^{(0)},k^{*{(0)}}} \right)}{\xi \cdot {\prod\limits_{j \in {\lbrack m\rbrack}}{{e\left( {c^{(j)},k^{*{({\rho(j)})}}} \right)}^{{\xi\Omega}_{j}} \cdot \left\lbrack {{Formula}182} \right\rbrack}}}}} \\{\prod\limits_{j \in {\lbrack m\rbrack}}{{e\left( {c^{(j)},b^{*{({1,3})}}} \right)}^{\Omega_{j}^{\prime}}{{e\left( {c^{(j)},b^{*{({1,4})}}} \right)}^{\Omega_{j}^{\prime}} \cdot}}} \\{\begin{bmatrix}{e{\left( {c^{({m + 1})},k^{*{({{n + 1},1})}}} \right) \cdot e}\left( {c^{({m + 1})},k^{*{({{n + 1},2})}}} \right)} \\{H_{hk}^{({\lambda,{poly}})}\left( {{MSG}{❘❘}{\mathbb{S}}} \right)}\end{bmatrix}\xi} \\{= {g_{T}^{{\xi\omega}({{- u} - u_{L}})} \cdot {\prod\limits_{j \in {\lbrack m\rbrack}}{g_{T}^{{\xi\omega\Omega}_{j}({{x_{\rho(j)}s_{j}} + s_{j}^{\prime}})} \cdot}}}} \\{\prod\limits_{j \in {\lbrack m\rbrack}}{g_{T}^{({{\Omega_{j}^{\prime}s_{j}} + {\Omega_{j}^{''}s_{j}^{\prime}}})} \cdot g_{T}^{{\xi\omega}u}}} \\{= {g_{T}^{{\xi\omega}({{- u} - u_{L}})} \cdot g_{T}^{{\xi\omega}({\overset{\rightarrow}{u} \cdot {\sum\limits_{j \in {\lbrack m\rbrack}}{\Omega_{j}({{x_{\rho(j)}{\overset{\rightarrow}{y}}^{(j)}} + {\overset{\rightarrow}{z}}^{(j)}})}}})} \cdot}} \\{g_{T}^{\overset{\rightarrow}{u} \cdot {\sum\limits_{j \in {\lbrack m\rbrack}}{({{\Omega_{j}^{\prime}{\overset{\rightarrow}{y}}^{(j)}} + {\Omega_{j}^{''}{\overset{\rightarrow}{z}}^{(j)}}})}}} \cdot g_{T}^{{\xi\omega}u}} \\{= {g_{T}^{{\xi\omega}({{- u} - u_{L}})} \cdot g_{T}^{{\xi\omega}({\overset{\rightarrow}{u} \cdot {\overset{\rightarrow}{e}}^{({L,L})}})} \cdot g_{T}^{\overset{\rightarrow}{u} \cdot {\overset{\rightarrow}{0}}^{L}} \cdot g_{T}^{{\xi\omega}u}}} \\{= {g_{T}^{{\xi\omega}({{- u} - u_{L}})} \cdot g_{T}^{{\xi\omega}u_{L}} \cdot 1_{{\mathbb{G}}_{r}} \cdot g_{T}^{{\xi\omega}u}}} \\{= 1_{{\mathbb{G}}_{r}}}\end{matrix}$

That is, the verification device 40 executes the Verify algorithmindicated in Formula 183.

$\begin{matrix}{{{{Verify}\left( {{MPK},{\mathbb{S}},\left( {{MSG},{sig}} \right)} \right)}:}{{{1.(a)\overset{\rightarrow}{u}} = {\left( {u_{1},\ldots,u_{L}} \right)\overset{U}{\longleftarrow}{\mathbb{F}}_{q}^{L}}},{{{{for}j} \in {\lbrack m\rbrack s_{j}}} = {\overset{\rightarrow}{u} \cdot {\overset{\rightarrow}{y}}^{(j)}}},{s_{j}^{\prime} = {\overset{\rightarrow}{u} \cdot {\overset{\rightarrow}{z}}^{(j)}}},{(b)u},{\eta_{0}\overset{U}{\longleftarrow}{\mathbb{F}}_{q}},{c^{(0)} = \left( {{{- u} - u_{L}},0,0,\eta_{0}} \right)_{{\mathbb{B}}_{0}}},{{(c){for}j} \in {\lbrack m\rbrack{if}s^{*{(j)}}} \notin {{\mathbb{V}}_{1}^{*}{then}{it}{outputs}0.}}}{{Otherwise},{\mu_{j}\overset{U}{\longleftarrow}{\mathbb{F}}_{g}},{{\overset{\rightarrow}{\eta}}^{(j)}\overset{U}{\longleftarrow}{\mathbb{F}}_{q}^{2}},{c^{(j)} = \left( {{\mu_{j}\left( {{\rho(j)},{- 1}} \right)},\left( {s_{j}^{\prime},,s_{j}} \right),{\overset{\rightarrow}{0}}^{6},{\overset{\rightarrow}{0}}^{2},{\overset{\rightarrow}{\eta}}^{(j)}} \right)_{{\mathbb{B}}_{1}}}}{{(d){\kappa\overset{U}{\longleftarrow}{\mathbb{F}}_{q}}},{{\overset{\rightarrow}{\eta}}^{({m + 1})}\overset{U}{\longleftarrow}{\mathbb{F}}_{q}^{2}},{c^{({m + 1})} = \left( {{{\left( {{u - {\kappa{H_{hk}^{({\lambda,{poly}})}\left( {{MSG}{❘❘}{\mathbb{S}}} \right)}}},{\overset{\rightarrow}{0}}^{2},{\overset{\rightarrow}{0}}^{2},{\overset{\rightarrow}{\eta}}^{({m + 1})}} \right)_{{\mathbb{B}}_{2}}2.{It}{outputs}1{if}{e\left( {b^{({0,1})},s^{*{(0)}}} \right)}} = 1_{{\mathbb{G}}_{r}}},{{3.{It}{outputs}1{if}{\prod\limits_{j \in {\lbrack{0,{m + 1}}\rbrack}}{e\left( {c^{(j)},s^{*{(j)}}} \right)}}} = {{1_{{\mathbb{G}}_{r}}.{It}}{outputs}0{{otherwise}.}}}} \right.}}} & \left. {{Formula}183} \right\rbrack\end{matrix}$

Effects of First Embodiment

As described above, the signature system 1 according to the firstembodiment realizes the ABS scheme using a predicate vector of ABP.Thus, the ABS scheme that is practical is realized.

The signature system 1 according to the first embodiment sets the indexinformation I* as a coefficient in the index part of the signature keySK(x^(→)), and sets the index information I as a coefficient in theindex part of the verification data. If t of the index information I*and ρ(j) of the index information I correspond to each other, the indexpart becomes 0 when a pairing operation is performed on the elements*^((j)) of the signature sig and the element c^((j)) of theverification data. If ι of the index information I* and ρ(j) of theindex information I do not correspond to each other, the index part doesnot become 0 when a pairing operation is performed on the elements*^((j)) of the signature sig and the element c^((j)) of theverification data.

This allows security to be secured even when the basis B₁ and the basisB*₁ that are common to all elements of the attribute vector x^(→) areused instead of using a different bases for each element of theattribute vector x^(→). As a result, it is sufficient that the basisB{circumflex over ( )}₁ and the basis B{circumflex over ( )}*₁ beincluded in the public parameter MPK, regardless of the number ofelements in the attribute vector x^(→). That is, the number of elementsin the attribute vector x^(→) to be used can be changed arbitrarilywithout changing the public parameter MPK.

Other Configurations

<First Variation>

In the first embodiment, basis vectors of two dimensions are used as theindex part. However, provided that the sum of inner products of theindex information I* and the index information I becomes 0, basisvectors of any number of dimensions can be used as the index part.

<Second Variation>

In the first embodiment, the functional components are realized bysoftware. However, as a second variation, the functional components maybe realized by hardware. With regard to the second variation,differences from the first embodiment will be described.

Referring to FIG. 10 , a configuration of the setup device 10 accordingto the second variation will be described.

When the functional components are realized by hardware, the setupdevice 10 includes an electronic circuit 15 in place of the processor11, the memory 12, and the storage 13. The electronic circuit 15 is adedicated circuit that realizes the functions of the functionalcomponents, the memory 12, and the storage 13.

Referring to FIG. 11 , a configuration of the key generation device 20according to the second variation will be described.

When the functional components are realized by hardware, the keygeneration device 20 includes an electronic circuit 25 in place of theprocessor 21, the memory 22, and the storage 23. The electronic circuit25 is a dedicated circuit that realizes the functions of the functionalcomponents, the memory 22, and the storage 23.

Referring to FIG. 12 , a configuration of the signature device 30according to the second variation will be described.

When the functional components are realized by hardware, the signaturedevice 30 includes an electronic circuit 35 in place of the processor31, the memory 32, and the storage 33. The electronic circuit 35 is adedicated circuit that realizes the functions of the functionalcomponents, the memory 32, and the storage 33.

Referring to FIG. 13 , a configuration of the verification device 40according to the second variation will be described.

When the functional components are realized by hardware, theverification device 40 includes an electronic circuit 45 in place of theprocessor 41, the memory 42, and the storage 43. The electronic circuit45 is a dedicated circuit that realizes the functions of the functionalcomponents, the memory 42, and the storage 43.

Each of the electronic circuits 15, 25, 35, and 45 is assumed to be asingle circuit, a composite circuit, a programmed processor, aparallel-programmed processor, a logic IC, a gate array (GA), anapplication specific integrated circuit (ASIC), or a field-programmablegate array (FPGA).

The respective functional components may be realized by one electroniccircuit 15, one electronic circuit 25, one electronic circuit 35, andone electronic circuit 45, or the respective functional components maybe distributed among and realized by a plurality of electronic circuits15, a plurality of electronic circuits 25, a plurality of electroniccircuits 35, and a plurality of electronic circuits 45.

<Third Variation>

As a third variation, some of the functional components may be realizedby hardware, and the rest of the functional components may be realizedby software.

Each of the processors 11, 21, 31, 41, the memories 12, 22, 32, 42, thestorages 13, 23, 33, 43, and the electronic circuits 15, 25, 35, 45 isalso referred to as processing circuitry. That is, the functions of thefunctional components are realized by the processing circuitry.

REFERENCE SIGNS LIST

-   -   10: setup device, 11: processor, 12: memory, 13: storage, 14:        communication interface, 15: electronic circuit, 111: acceptance        unit, 112: master key generation unit, 113: output unit, 20: key        generation device, 21: processor, 22: memory, 23: storage, 24:        communication interface, 25: electronic circuit, 211:        acquisition unit, 212: signature key generation unit, 213:        output unit, 30: signature device, 31: processor, 32: memory,        33: storage, 34: communication interface, 35: electronic        circuit, 311: acquisition unit, 312: signature unit, 313: output        unit, 40: verification device, 41: processor, 42: memory, 43:        storage, 44: communication interface, 45: electronic circuit, 1:        signature system

The invention claimed is:
 1. A signature device comprising: processingcircuitry to: acquire a signature key in which an attribute vector isset over a basis B* of a basis B and the basis B*, which are dual basesin dual vector spaces, generate a signature for a message by settingpredicate information of arithmetic branching programs (ABP) for theacquired signature key, and output the generated signature and themessage, wherein the signature key includes elements respectivelycorresponding to elements of the attribute vector, and in each of theelement of the signature key, index information I* associated with acorresponding one of the elements of the attribute vector is set as acoefficient of one or more but not all basis vectors in the basis B*. 2.The signature device according to claim 1, wherein the predicateinformation is obtained from an arithmetic span program (ASP)representation corresponding to the ABP.
 3. The signature deviceaccording to claim 2, wherein the predicate information includes anelement Ω_(j) indicated in Formula 1, and wherein the processingcircuitry conceals an element of the attribute vector by the elementΩ_(j) $\begin{matrix}{{{\overset{\rightarrow}{e}}^{({L,L})} = {\sum\limits_{j \in {\lbrack m\rbrack}}{\Omega_{j}\left( {{x_{\rho(j)}{\overset{\rightarrow}{y}}^{(j)}} + {\overset{\rightarrow}{z}}^{(j)}} \right)}}}{where}{{{\overset{\rightarrow}{e}}^{({d,i})} = \overset{i - 1}{\overset{︷}{\left( {0,\ldots,0} \right.}}},1,{{\overset{d - i}{\overset{︷}{\left. {0,\ldots,0} \right)}}{for}i} \in \lbrack d\rbrack},}} & \left\lbrack {{Formula}1} \right\rbrack\end{matrix}$ d is an integer of 1 or more,

is an access structure expressed as an ASP representation,

=(

={{right arrow over (y)} ^((j)) ,{right arrow over (z)}^((j))}_(j∈[m])⊂(

_(q) ^(L))² ,ρ:[M]→[N]), n is the number of elements in an attributevector, and m,L are integers of 1 or more.
 4. The signature deviceaccording to claim 3, wherein the predicate information includes anelement Ω′_(j) and an element Ω″_(j) indicated in Formula 2, and whereinthe processing circuitry conceals an element of the attribute vector andthe element Ω_(j) by the element Ω′_(j) and the element Ω″_(j)$\begin{matrix}{{\left( {\left( \Omega_{j}^{\prime} \right)_{j \in {\lbrack m\rbrack}},\left( \Omega_{j}^{''} \right)_{j \in {\lbrack m\rbrack}}} \right)\overset{U}{\longleftarrow}\left( {\mathbb{F}}_{q}^{m} \right)^{2}}{{{such}{that}{\sum\limits_{j \in {\lbrack m\rbrack}}\left( {{\Omega_{j}^{\prime}{\overset{\rightarrow}{y}}^{(j)}} + {\Omega_{j}^{''}{\overset{\rightarrow}{z}}^{(j)}}} \right)}} = {{\overset{\rightarrow}{0}}^{L}.}}} & \left\lbrack {{Formula}2} \right\rbrack\end{matrix}$
 5. The signature device according to claim 4, wherein thesignature is sig indicated in Formula 3 $\begin{matrix}{{{sig} = \left( {s^{*{(0)}},\ldots,s^{*{({m + 1})}}} \right)}{where}{{s^{*{(0)}} = {{\xi k^{*{(0)}}} + r^{*{(0)}}}},{s^{*{(j)}} = {{{{\xi\Omega}_{j}k^{*{({\rho(j)})}}} + {\sigma_{j}^{\prime}\left( {b^{*{({1,1})}} + {{\rho(j)}b^{*{({1,2})}}}} \right)} + {\Omega_{j}^{''}b^{*{({1,3})}}} + {\Omega_{j}^{\prime}b^{*{({1,4})}}} + {r^{*{(j)}}{for}j}} \in \lbrack m\rbrack}},{s^{*{({m + 1})}} = {{\xi\left( {k^{*{({{n + 1},1})}} + {{H\left( {{MSG}{❘❘}{\mathbb{S}}} \right)}k^{*{({{n + 1},2})}}}} \right)} + r^{*{({m + 1})}}}},\xi,{\sigma_{j}^{\prime}\overset{U}{\longleftarrow}{\mathbb{F}}_{q}},{{r^{*{(0)}}\overset{U}{\longleftarrow}{SPAN}}\left\langle b^{*{({0,3})}} \right\rangle},{{r^{*{(j)}}\overset{U}{\longleftarrow}{SPAN}}\left\langle {b^{*{({1,11})}},b^{*{({1,12})}}} \right\rangle},{{r^{*{({m + 1})}}\overset{U}{\longleftarrow}{SPAN}}\left\langle {b^{*{({2,5})}},b^{*{({2,6})}}} \right\rangle},k^{*{(0)}},\ldots,k^{*{(n)}},k^{*{({{n + 1},1})}},{k^{*{({{n + 1},2})}}{are}{elements}{of}a{signature}{key}},{k^{*{(0)}} = \left( {\omega,0,\phi_{0},0} \right)_{{\mathbb{B}}_{0}^{*}}},{k^{*{(\iota)}} = \left( {{\sigma_{\iota}\left( {1,t} \right)},{\omega\left( {1,x_{\iota}} \right)},{\overset{\rightarrow}{0}}^{6},{\overset{\rightarrow}{\phi}}^{(\iota)},{\overset{\rightarrow}{0}}^{2}} \right)_{{\mathbb{B}}_{1}^{*}}},{k^{*{({{n + 1},1})}} = {{\left( {{\omega\left( {1,0} \right)},{\overset{\rightarrow}{0}}^{2},{\overset{\rightarrow}{\phi}}^{({{n + 1},1})},{\overset{\rightarrow}{0}}^{2}} \right)_{{\mathbb{B}}_{2}^{*}}{for}\iota} \in \lbrack n\rbrack}},{k^{*{({{n + 1},2})}} = \left( {{\omega\left( {1,0} \right)},{\overset{\rightarrow}{0}}^{2},{\overset{\rightarrow}{\phi}}^{({{n + 1},2})},{\overset{\rightarrow}{0}}^{2}} \right)_{{\mathbb{B}}_{2}^{*}}},{{\omega\overset{U}{\longleftarrow}{\mathbb{F}}_{q}}\backslash\left\{ 0 \right\}},{\phi_{0}\overset{U}{\longleftarrow}{\mathbb{F}}_{q}},{{{for}\iota} \in {\lbrack n\rbrack{{\sigma_{\iota}\overset{U}{\longleftarrow}{\mathbb{F}}_{q}}\backslash\left\{ 0 \right\}}}},{\overset{\rightarrow}{\phi}}^{(\iota)},{\overset{\rightarrow}{\phi}}^{({{n + 1},1})},{{\overset{\rightarrow}{\phi}}^{({{n + 1},2})}\overset{U}{\longleftarrow}{\mathbb{F}}_{q}^{2}},}} & \left\lbrack {{Formula}3} \right\rbrack\end{matrix}$ H is a hash function, MSG is a message, and b* is a basisvector of a basis B*.
 6. A verification device comprising: processingcircuitry to: acquire a signature in which an attribute vector andpredicate information of arithmetic branching programs (ABP) are setover a basis B* of a basis B and the basis B*, which are dual bases indual vector spaces, and verify the signature by performing a pairingoperation on the acquired signature and verification data in whichverification information is set over the basis B, wherein the signatureincludes elements respectively corresponding to elements of theattribute vector, and in each of the elements of the signature, indexinformation I* associated with a corresponding one of the elements ofthe attribute vector is set as a coefficient of one or more but not allbasis vectors in the basis B*, and wherein the verification dataincludes one or more elements corresponding to one or more elements ofthe attribute vector, and in each element of the verification data,index information I is set as a coefficient of each basis vector in thebasis B corresponding to the one or more but not all basis vectors, theindex information I being such that a sum of inner products of the indexinformation I and the index information I* becomes
 0. 7. Theverification device according to claim 6, wherein the predicateinformation and the verification information are obtained from anarithmetic span program (ASP) representation corresponding to the ABP.8. The verification device according to claim 7, wherein the predicateinformation includes Ω_(j) indicated in Formula 4 [Formula 4]$\begin{matrix}{{{\overset{\_}{e}}^{({L,L})} = {\sum\limits_{j \in {\lbrack m\rbrack}}{\Omega_{j}\left( {{x_{\rho(j)}{\overset{\rightarrow}{y}}^{(j)}} + {\overset{\rightarrow}{z}}^{(j)}} \right)}}}{where}{{{\overset{\_}{e}}^{({d,i})} = \overset{i - 1}{\overset{︷}{\left( {0,\ldots,0} \right.}}},1,{{\overset{d - i}{\overset{︷}{\left. {0,\ldots,0} \right)}}{for}i} \in \lbrack d\rbrack},}} & \left\lbrack {{Formula}4} \right\rbrack\end{matrix}$ d is an integer of I or more,

is an access structure expressed as an ASP representation,

=(

={{right arrow over (y)} ^((j)) ,{right arrow over (z)}^((j))}_(j∈[m])⊂(

_(q) ^(L))² ,ρ:[M]→[N]), n is the number of elements in an attributevector, and m,L are integers of I or more.
 9. The verification deviceaccording to claim 8, wherein the signature is sig indicated in Formula5, and wherein the verification data is c indicated in formula 6$\begin{matrix}{{sig} = \left( {s^{*{(0)}},\ldots,s^{*{({m + 1})}}} \right)} & \left\lbrack {{Formula}5} \right\rbrack\end{matrix}$ where s^(*(0)) = ξk^(*(0)) + r^(*(0)),s^(*(j)) = ξΩ_(j)k^(*(ρ(j))) + σ_(j)^(′)(b^(*(1, 1)) + ρ(j)b^(*(1, 2))) + Ω_(j)^(″)b^(*(1, 3)) + Ω_(j)^(′)b^(*(1, 4)) + r^(*(j))forj ∈ [m],s^(*(m + 1)) = ξ(k^(*(n + 1, 1)) + H(MSG❘❘𝕊)k^(*(n + 1, 2))) + r^(*(m + 1)),$\xi,{\sigma_{j}^{\prime}\overset{U}{\longleftarrow}{\mathbb{F}}_{q}},$${{r^{*{(0)}}\overset{U}{\longleftarrow}{SPAN}}\left\langle b^{*{({0,3})}} \right\rangle},{{r^{*{(j)}}\overset{U}{\longleftarrow}{SPAN}}\left\langle {b^{*{({1,11})}},b^{*{({1,12})}}} \right\rangle},$${{r^{*{({m + 1})}}\overset{U}{\longleftarrow}{SPAN}}\left\langle {b^{*{({2,5})}},b^{*{({2,6})}}} \right\rangle},$$\left( {\left( \Omega_{j}^{\prime} \right)_{j \in {\lbrack m\rbrack}},\left( \Omega_{j}^{''} \right)_{j \in {\lbrack m\rbrack}}} \right)\overset{U}{\longleftarrow}\left( {\mathbb{F}}_{q}^{m} \right)^{2}$${{{such}{that}{\sum}_{j \in {\lbrack m\rbrack}}\left( {{\Omega_{j}^{\prime}{\overset{\rightarrow}{y}}^{(j)}} + {\Omega_{j}^{''}{\overset{\rightarrow}{z}}^{(j)}}} \right)} = {\overset{\rightarrow}{0}}^{L}},$k^(*(0)), …, k^(*(n)), k^(*(n + 1, 1)), k^(*(n + 1, 2))areelementsofasignaturekey,k^(*(0)) = (ω, 0, ϕ₀, 0)_(𝔹₀^(*)),${k^{*{(\iota)}} = \left( {{\sigma_{\iota}\left( {1,\iota} \right)},{\omega\left( {1,x_{\iota}} \right)},{\overset{\rightarrow}{0}}^{6},{\overset{\rightarrow}{\phi}}^{(\iota)},{\overset{\rightarrow}{0}}^{2}} \right)_{{\mathbb{B}}_{1}^{*}}},$${k^{*{({{n + 1},1})}} = {{\left( {{\omega\left( {1,0} \right)},{\overset{\rightarrow}{0}}^{2},{\overset{\rightarrow}{\phi}}^{({{n + 1},1})},{\overset{\rightarrow}{0}}^{2}} \right)_{{\mathbb{B}}_{2}^{*}}{for}\iota} \in \lbrack n\rbrack}},$${k^{*{({{n + 1},2})}} = \left( {{\omega\left( {1,0} \right)},{\overset{\rightarrow}{0}}^{2},{\overset{\rightarrow}{\phi}}^{({{n + 1},2})},{\overset{\rightarrow}{0}}^{2}} \right)_{{\mathbb{B}}_{2}^{*}}},$${{\omega\overset{U}{\longleftarrow}{\mathbb{F}}_{q}}\backslash\left\{ 0 \right\}},{\phi_{0}\overset{U}{\longleftarrow}{\mathbb{F}}_{q}},$${{{for}\iota} \in {\lbrack n\rbrack{{\sigma_{\iota}\overset{U}{\longleftarrow}{\mathbb{F}}_{q}}\backslash\left\{ 0 \right\}}}},{\overset{\rightarrow}{\phi}}^{(\iota)},{\overset{\rightarrow}{\phi}}^{({{n + 1},1})},{{\overset{\rightarrow}{\phi}}^{({{n + 1},2})}\overset{U}{\longleftarrow}{\mathbb{F}}_{q}^{2}},$Hisahashfunction, MSGisamessage, and, b^(*)isabasisvectorofabasisB^(*)$\begin{matrix}{c = \left( {c^{(0)},\ldots,c^{({m + 1})}} \right)} & \left\lbrack {{Formula}6} \right\rbrack\end{matrix}$ where c⁽⁰⁾ = (−u − u_(L), 0, 0, η₀)_(𝔹₀)$c^{(j)} = {{\left( {{\mu_{j}\left( {{\rho(j)},{- 1}} \right)},\left( {s_{j}^{\prime},s_{j}} \right),{\overset{\rightarrow}{0}}^{6},{\overset{\rightarrow}{0}}^{2},{\overset{\rightarrow}{\eta}}^{(j)}} \right)_{{\mathbb{B}}_{1}}{for}j} \in \lbrack m\rbrack}$$c^{({m + 1})} = \left( {\left( {{u - {\kappa{H\left( {{MSG}{❘❘}{\mathbb{S}}} \right)}}},\kappa} \right),{\overset{\rightarrow}{0}}^{2},{\overset{\rightarrow}{0}}^{2},{\overset{\rightarrow}{\eta}}^{({m + 1})}} \right)_{{\mathbb{B}}_{2}}$${\overset{\rightarrow}{u} = {\left( {u_{1},\ldots,u_{L}} \right)\overset{U}{\longleftarrow}{\mathbb{F}}_{q}^{L}}},$${{{{for}j} \in {\lbrack m\rbrack s_{j}}} = {\overset{\rightarrow}{u} \cdot {\overset{\rightarrow}{y}}^{(j)}}},{s_{j}^{\prime} = {\overset{\rightarrow}{u} \cdot {\overset{\rightarrow}{z}}^{(j)}}},$$u,\eta_{0},{\kappa\overset{U}{\longleftarrow}{\mathbb{F}}_{q}},{{{\mu_{j}\overset{U}{\longleftarrow}{\mathbb{F}}_{d}}{for}j} \in \lbrack m\rbrack},$${\overset{\rightarrow}{\eta}}^{(j)},{{{\overset{\rightarrow}{\eta}}^{({m + 1})}\overset{U}{\longleftarrow}{\mathbb{F}}_{q}^{2}}.}$10. A signature method comprising: acquiring a signature key in which anattribute vector is set over a basis B* of a basis B and the basis B*,which are dual bases in dual vector spaces; generating a signature for amessage by setting predicate information of arithmetic branchingprograms (ABP) for the signature key; and outputting the signature andthe message, wherein the signature key includes elements respectivelycorresponding to elements of the attribute vector, and in each of theelement of the signature key, index information I* associated with acorresponding one of the elements of the attribute vector is set as acoefficient of one or more but not all basis vectors in the basis B*.11. A non-transitory computer readable medium storing a signatureprogram that causes a computer to function as a signature device toperform: an acquisition process of acquiring a signature key in which anattribute vector is set over a basis B* of a basis B and the basis B*,which are dual bases in dual vector spaces; a signature process ofgenerating a signature for a message by setting predicate information ofarithmetic branching programs (ABP) for the signature key acquired bythe acquisition process; and an output process of outputting thesignature generated by the signature process and the message, whereinthe signature key includes elements respectively corresponding toelements of the attribute vector, and in each of the element of thesignature key, index information I* associated with a corresponding oneof the elements of the attribute vector is set as a coefficient of oneor more but not all basis vectors in the basis B*.
 12. A verificationmethod comprising: acquiring a signature in which an attribute vectorand predicate information of arithmetic branching programs (ABP) are setover a basis B* of a basis B and the basis B*, which are dual bases indual vector spaces; and verifying the signature by performing a pairingoperation on the signature and verification data in which verificationinformation is set over the basis B, wherein the signature includeselements respectively corresponding to elements of the attribute vector,and in each of the elements of the signature, index information I*associated with a corresponding one of the elements of the attributevector is set as a coefficient of one or more but not all basis vectorsin the basis B*, and wherein the verification data includes one or moreelements corresponding to one or more elements of the attribute vector,and in each element of the verification data, index information I is setas a coefficient of each basis vector in the basis B corresponding tothe one or more but not all basis vectors, the index information I beingsuch that a sum of inner products of the index information I and theindex information I* becomes
 0. 13. A non-transitory computer readablemedium storing a verification program that causes a computer to functionas a verification device to perform: an acquisition process of acquiringa signature in which an attribute vector and predicate information ofarithmetic branching programs (ABP) are set over a basis B* of a basis Band the basis B*, which are dual bases in dual vector spaces; and averification process of verifying the signature by performing a pairingoperation on the signature acquired by the acquisition process andverification data in which verification information is set over thebasis B, wherein the signature includes elements respectivelycorresponding to elements of the attribute vector, and in each of theelements of the signature, index information I* associated with acorresponding one of the elements of the attribute vector is set as acoefficient of one or more but not all basis vectors in the basis B*,and wherein the verification data includes one or more elementscorresponding to one or more elements of the attribute vector, and ineach element of the verification data, index information I is set as acoefficient of each basis vector in the basis B corresponding to the oneor more but not all basis vectors, the index information I being suchthat a sum of inner products of the index information I and the indexinformation I* becomes 0.